Option to disable the scope & new defaults enforcement
In this release cycle, a few services are enabling the
enforce scope and new defaults by default. Example Nova:
- https://review.opendev.org/c/openstack/nova/+/866218)
Until the new defaults enalbing by default is not released we
should keep testing the old defaults in existing jobs and we can
add new jobs testing new defautls. To do that we can provide the
way in devstack to keep scope/new defaults disable by default which
can be enabled by setting enforce_scope variable to true.
Once any service release the new defaults enabled by default then
we can switch the bhavior, enable the scope/new defaults by default
and a single job can disbale them to keep testing the old defaults
until service does not remove those.
Change-Id: I5c2ec3e1667172a75e06458f16cf3d57947b2c53
diff --git a/lib/keystone b/lib/keystone
index 80a136f..6cb4aac 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -265,10 +265,15 @@
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
fi
+
+ iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+
if [[ "$KEYSTONE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $KEYSTONE_CONF oslo_policy enforce_scope true
iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults true
- iniset $KEYSTONE_CONF oslo_policy policy_file policy.yaml
+ else
+ iniset $KEYSTONE_CONF oslo_policy enforce_scope false
+ iniset $KEYSTONE_CONF oslo_policy enforce_new_defaults false
fi
}